cyradm and allowing only encrypted passwords with 2.3.16?

Patrick Goetz pgoetz at
Mon Oct 4 12:51:01 EDT 2010

On 10/04/2010 11:07 AM, Dan White wrote:
> You can connect via a non plaintext mechanism, like digest-md5.

This seems like a straightforward case of RTFM, but how does one 
determine the auth mechanism?  I'm using saslauthd, pam, and have a 
self-signed certificate (which I know works):

ibis:~~$ cyradm --auth digest-md5 --tlskey 
/etc/ssl/private/ localhost
[ unable to get certificate from 
'/etc/ssl/private/' ]
[ TLS engine: cannot load cert/key data, might be a cert/key mismatch]
[ TLS engine failed ]

ibis:~ssl$ sudo ls -l /etc/ssl/private
total 8
-rw-r----- 1 root ssl-cert 887 2009-09-13 14:02
-rw-r----- 1 root ssl-cert 887 2010-04-11 14:00 ssl-cert-snakeoil.key
ibis:~ssl$ groups cyrus
cyrus : mail sasl ssl-cert

Maybe the problem is I'm still not 100% clear on how SASL works.

I have saslauthd running with
    OPTIONS="-c -m /var/run/saslauthd"

However, there's no sasl pam.d config file -- presumably SASL somehow uses

???  I don't have lmtp running in a chroot jail, which is how I can get 
away with this. smtp does run in a chroot jail, but has it's own 
saslauthd with
   OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

I don't remember anyone mentioning this possibility (running multiple 
saslauthd daemons) in any howto; most people seem to jump through 
inordinate hoops to get all other programs to use the sasl socket in the 
smtp chroot jail, which seems to unnecessarily complicate things.

More information about the Info-cyrus mailing list